IP-based mobile system includes at least one Mobile Node in a wireless communication system. The term “Mobile Node” includes a mobile communication unit, and, in addition to the Mobile Node, the communication system has a home network and a foreign network. The Mobile Node may change its point of attachment to the Internet through these other networks, but the Mobile Node will always be associated with a single home network for IP addressing purposes. The home network has a Home Agent and the foreign network has a Foreign Agent—both of which control the routing of information packets into and out of their network.
The Mobile Node, Home Agent and Foreign Agent may be called other names depending on the nomenclature used on any particular network configuration or communication system. For instance, a “Mobile Node” encompasses PC's having cabled (e.g., telephone line (“twisted pair”), Ethernet cable, optical cable, and so on) connectivity to the wireless network, as well as wireless connectivity directly to the cellular network, as can be experienced by various makes and models of mobile terminals (“cell phones”) having various features and functionality, such as Internet access, e-mail, messaging services, and the like. And, a home agent may be referred to as a Home Agent, Home Mobility Manager, Home Location Register, and a foreign agent may be referred to as a Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity. The terms Mobile Node, Home Agent and Foreign Agent are not meant to be restrictively defined, but could include other mobile communication units or supervisory routing devices located on the home or foreign networks.
The Mobile Node keeps the Home Agent informed as to its current location by registering a “care-of address” with the Home Agent. Essentially, the care-of address represents the current foreign network where the Mobile Node is located. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will transmit the information packet to the Mobile Node's current location on the foreign network using the applicable care-of address.
The Foreign Agent participates in informing the Home Agent of the Mobile Node's current care-of address. The Foreign Agent also receives the information packets for the Mobile Node after the information packets have been forwarded by the Home Agent. Further, the Foreign Agent serves as a default router for out-going information packets generated by the Mobile Node while connected to the foreign network.
Foreign Agents and Home Agents periodically broadcast an agent advertisement to all nodes on the local network associated with that agent. An agent advertisement is a message from the agent on a network that may be issued under the Mobile IP protocol (RFC 2002) or any other type of communications protocol. This advertisement should include information that is required to uniquely identify a mobility agent (e.g. a Home Agent, a Foreign Agent, etc.) to a mobile node. Mobile Nodes examine the agent advertisement and determine whether they are connected to the home network or a foreign network.
If the Mobile Node is located on its home network, information packets will be routed to the Mobile Node according to the standard addressing and routing scheme. If the Mobile Node is visiting a foreign network, however, the Mobile Node obtains appropriate information from the agent advertisement, and transmits a registration request message to its Home Agent through the Foreign Agent. The registration request message will include a care-of address for the Mobile Node.
The registered care-of address identifies the foreign network where the Mobile Node is located, and the Home Agent uses this registered care-of address to forward information packets to the foreign network for subsequent transfer to the Mobile Node. A registration reply message may be sent to the Mobile Node by the Home Agent to confirm that the registration process has been successfully completed.
Upon moving to a new network, a mobile node detects its movement by receipt of a Router Advertisement message from a new router or exceeding the time interval for receiving an expected Router Advertisement message from a linked router. A mobile node can also periodically transmit a Router Solicitation message that will be received by a router on the foreign network and initiate transmission of a Router Advertisement message received by the mobile node.
The Router Advertisement message contains network prefix information that is used to form a care-of address for routing information packets from the home network to the mobile node on the foreign network. A Registration Request or Binding Update message (BU) is used to register the care-of address with the home agent and any active correspondence node communicating with the mobile node. The new Registration Request includes the care-of address, the home address, and a binding lifetime. A Registration Reply or Binding Acknowledgment message (BA) is sent in response to the Request or Binding Update message to either accept or reject the Binding Update as an authentication step. Routers on the networks will maintain the care-of address and home IP address association for the mobile node on a data table, ensuring that information packets can be routed to a mobile node connected to the foreign network.
In an IP-based mobile communication system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. The Mobile IP Protocol (RFC 2002) assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator. When a Mobile Node travels outside its home administrative domain, however, the Mobile Node may need to communicate through multiple foreign networks in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the Mobile Node. These authentication, authorization, and accounting activities are called “AAA” activities.
Authentication is the process of proving someone's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. An AAA server on the networks authenticates the identity of an authorized user, and authorizes the Mobile Node's requested activity. Additionally, the AAA server will also support the accounting function, including tracking usage and charges for use of transmission links between administrative domains.
Remote Authentication Dial In User Service (RADIUS) is one widely utilized protocol for AAA. The RADIUS protocol defines message formats and data required for AAA that can be used on virtually any packet-based communication system. Functionally, RADIUS can perform client-server operations, network security, authentication, and accounting using standard information encoding under a UDP transmission protocol. RADIUS AAA server computers are widely deployed over wireless networks utilizing the RADIUS protocol to perform AAA functions.
Another function for the AAA server is to support secured transmission of information packets by storing and allocating security associations. Security associations refer to those encryption protocols, nonces, and keys required to specify and support encrypting an information packet transmission between two nodes in a secure format. The security associations are a collection of security contexts existing between the nodes that can be applied to the information packets exchanged between them. Each context indicates an authentication algorithm and mode, a shared key or appropriate public/private key pair, and a style of replay protection.
Extensions have been defined in the IP protocol, and extensions can be used in similar protocols, to support transmission of variable amounts of data in an information packet. This includes address information for mobile nodes, routers, and networks. The extension mechanism in IP permits appropriate addressing and routing information to be carried by any information packet, without restriction to dedicated message types such as discovery, notification, control, and routing information packet formats.
The general extension format includes a Type-Length-Value format. The Type data field (T) 1 occupies the first 8-bits (one octet) of the general extension. The value of this data field will designate the type of extension. The Length data field (L) 2 occupies the next 8-bits of the extension, and the value assigned is the length of the Value field (V) 3 in octets. The Value data field 3 occupies the remaining bits in the general extension as specified by the Type 1 and Length 2 data values.
Several functionalities in Mobile IPv4 require the Foreign Agent to add specific information to a Registration Request RRQ received from a Mobile Node before that Registration Request RRQ is forwarded to the Home Agent. This additional information should be protected from public disclosure, which requires the Foreign Agent to establish a security association with the Home Agent before the transmission of the RRQ to the Home Agent.
The Foreign Agent-Home Agent Authentication Extension (AE) is an optional extension that can be used to support secure communications between foreign and home networks. The use of the FA-HA Authentication Extension (AE) requires the presence of a security association between the Foreign Agent FA and the Home Agent HA. In order to establish the security association between the Foreign Agent and the Home Agent to support the FA-HA Authentication Extension (AE), the Foreign Agent must be able to dynamically allocate the security association parameters (e.g. FA-HA secret key, hash function, hash function mode, etc.) in the FA-HA access request message that will establish the security association between the Foreign Agent and the Home Agent.
The Foreign Agent and the Home Agent also index their security associations using a Security Parameters Index (SPI), and the Foreign Agent and the Home Agent also transmit IP addresses of the Mobile Node as an index for the security association between the Foreign Agent and the Home Agent. The allocation of this FA-HA security association is outside the scope of RFC 2002 (3344), and there is not a capability to dynamically allocate the necessary supporting information for the FA-HA security association at the present time. That is one objective of the present invention. Another objective is to support the dynamic allocation of parameters used in the FA-HA security association, with variable combinations and expansion of parameters that were statically pre-configured previously. There is a method proposed in the 3GPP2 standard to dynamically allocate a single secret key value using a AAA server, but this proposal does not maintain the synchronicity between the Foreign Agent and the Home Agent and does not allow for the dynamic allocation of other necessary parameters or security parameter index values.